Sample OpenId-Connect request
1. Authorization code flow
1. The client application creates a random String, named nonce, and sends to he user the following URL:
|
https://<identityprovider>/authorization? redirect_uri=https://<serviceprovider>/response& client_id=MYCLIENT& nonce=12345679801234567890& scope=openid& response_type=code |
2. Then, the user will be asked for a username and password, or any other means of authentication. After authenticating the user, the browser will be redirected to the URL configured in the service provider page, adding a one-time authorization code.
|
https://<serviceprovider>/response/? |
3. Once the service provider has received the one-time authorization code, it can connect to the identity provider to retrieve the oAuth token, as well as the OpenID token.
|
POST https://<YOUR_SERVER>:2443/token Accept: application/json Authorization: Basic dGVzdDp0ZXN0 Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=XXXXXXXXXXXX |
The parameters sent are:
The response will look like this
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
- The id_token tag contains the OpenId token.
- The access_token tag contains the oAuth token.
4. Before the number of seconds specified om expires_in are elapsed, the token can be renewed by invoking again the token endpoint changing the grant_type:
Request
|
POST https://<YOUR_SERVER>:2443/token Accept: application/json
grant_type=refresh_token&refresh_token=XXXXXXXXXXXX |
The parameters sent are:
The response will look like this:
Response
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
2. User’s password + client credentials flow
Response
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
Response
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
3. Closing the session
Response
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
Response
|
{ "access_token":"8bDP2P...", "refresh_token":"gjLmSW...", "id_token":"eyJra.eyJ.LQ_XtHKr.RY3A4...", "token_type":"Bearer", "expires_in":11998 } |
4. Getting user attributes
All the user attributes can be extracted from the openid token. Anyway, it is possible to get them in a more readable format user the user-info endpoint.
Request
|
GET https://<YOUR_SERVER>:2443/user-info Accept: application/json |
Parameters
Response
|
{ "sub": "admin", "surname": "Admin", "given_name": "Admin", "member_of": [ "TestRole2@soffid", "TestRole@soffid" ] } |
5. Getting a session cookie for the user
Sometimes, a mobile application has authenticated the user using the username & password grant, but wants to share this authenticated session with the underlying web browser. For such a case, the application can request a session cookie with this request:
Request
|
GET https://<YOUR_SERVER>:2443/session_cookie Accept: application/json |
Parameters
Response
|
{ "stats":"Success" } |